feeReceipient is not checked on borrow and repay. The borrower can pass any account, even their account so they receive the fee. (i.e. free borrowing). Also, profit_share and interest_share will be transffered to the borrower instead of the platform.
This applies on borrow for the openning fee and on repay for both profit_share and interest_share.
On borrow and repay functions, there is no validation against the passed fee_receipient account.
Tools Used
Manual analysis
Recommended Mitigation Steps
Add a config account on the protocol level, this config will have fee_receipient to be set by the admin. Then, on borrow and repay, check the passed account if it matches against the one from the config.
Lines of code
https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/swap.rs#L12 https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/swapback.rs#L137
Vulnerability details
Impact
feeReceipient
is not checked onborrow
andrepay
. The borrower can pass any account, even their account so they receive the fee. (i.e. free borrowing). Also,profit_share
andinterest_share
will be transffered to the borrower instead of the platform.This applies on
borrow
for the openning fee and onrepay
for bothprofit_share
andinterest_share
.Proof of Concept
On borrow,
fee_receipient
is uncheckedborrow.rs#L26
On repay,
fee_receipient
is unchecked toorepay_sol.rs#L23
On
borrow
andrepay
functions, there is no validation against the passedfee_receipient
account.Tools Used
Manual analysis
Recommended Mitigation Steps
Add a config account on the protocol level, this config will have
fee_receipient
to be set by the admin. Then, onborrow
andrepay
, check the passed account if it matches against the one from the config.Assessed type
Invalid Validation